An audit is an evidence gathering
process. Audit evidence is used to
evaluate how well audit criteria are
being met. Audits must be objective, impartial, and independent,
and the audit process must be both systematic and documented.

There are three types of audits: first-party,
second-party, andthird-party. First-party audits are internal
audits. Second andthird party audits are external audits.

Organizations use first party audits to
audit themselves. Firstparty audits are used to confirm or improve
the effectiveness of management systems. They're also used to
declare that anorganization complies with an ISO standard (this is
called a self-declaration). Of course, such a declaration
is credible only if first party auditors are genuinely independent
and free of bias. If you decide to use first party auditors to
make a self-declaration of compliance, make sure that they aren't
auditing their own work.

Second party audits are external audits.
They’re usually done by customers or by others on their behalf.
However, they can also be done by regulators or any other external
party that has a formal interest in an organization.

Third party audits are external audits
as well. However, they’re performed by independent organizations
such as registrars (certification bodies) or regulators.

ISO 19011 2011 also
distinguishes between combined audits and joint
audits. When two or more managementsystems of different
disciplines are audited together at thesame time, it's called a
combined audit; and when two or more auditing
organizations cooperate to audit a single auditee organization
it's called a joint audit.

ISO 19011 2011 should be used by those who carry
out first and second party audits. ISO/IEC 17021 2011 should
be used by those who carry out third party audits.

An auditee is an
organization (or part of an organization) that is
being audited. Organizations
can
include companies,corporations, enterprises,
firms,
charities,
associations,and institutions. Organizations can be either incorporated orunincorporated
and can be privately or publicly owned.

An audit client is any person or
organization that requests an audit.
Internal audit clients can be
either the auditee or auditprogram manager whereas external audit clients can include
regulators or customers or any other parties that have a legal or
contractual right or obligation to carry out an audit.

Audit conclusions
are drawn by the audit team after the audit has been completed and
after audit findings and audit objectiveshave been considered.
Audit findings result from a process thatevaluates audit
evidence and compares it against audit criteria.

Audit criteria include policies,
procedures, and requirements. Audit evidence is used to determine
how well audit criteria arebeing met. Audit evidence is used to
determine how well policiesare being implemented, how well
procedures are being applied,and how well requirements are being
followed.

When requirements are used as audit criteria,
auditors often usethe terms conformity and
nonconformity to indicate whether or notrequirements are
being met. However, when legal requirements areused as audit
criteria, auditors tend to use the terms complianceand
noncompliance (instead of conformity and nonconformity).

Audit findings
result from a process that evaluates audit evidence and compares
it against audit criteria. Audit findings can show that
audit criteria are being met (conformity) or that they are not
being met (nonconformity). They can also identify best practices
or improvement opportunities.

Audit evidence
includes records, factual statements, and otherverifiable
information that is related to the audit criteria being used.
Audit criteria include policies, procedures, and requirements.

An audit program (or programme)
is a set of arrangements that are intended to achieve a specific
audit purpose within a specifictime frame. It includes all of the
activities and resources needed to plan, organize, and conduct one
or more audits.

The scope of an
audit is a statement that specifies the focus,
extent,and boundary of a particular audit. The scopecanbe specified by
defining the physical location of the audit,
the organizational unitsthat will be examined, the processes and
activities that will beincluded, and the time period that will be
covered.

Competence
means being able to apply knowledge and skill to achieve intended
results. Being competent means having theknowledge and
skill that you need and knowing how to apply it.Being
competent means that you know how to do your job.

Conformity is the "fulfillment of a
requirement". To conform means to
meet or comply with requirements. There are many types of
requirements. There are management system requirements,customer
requirements, contractual requirements, regulatoryrequirements,
statutory requirements and so on.

Guides are appointed by auditee
organizations to help auditors.However, they may not influence or
interfere with the conduct of an audit. Guides are
expected to identify potential interviewees, toconfirm interview
schedules, to
arrange access to auditee
locations,and to make sure that auditors and observers are
familiar with allrelevant safety and security procedures. They may
also be askedto help auditors collect information and provide
clarification.

Nonconformity is the
"non-fulfillment of a requirement". It is afailure to comply
with requirements. A requirement is a need,expectation, or
obligation. It can be stated or implied by anorganization, its
customers, or other interested parties.

Observers accompany auditors and
witness audit activities.However, they're
not audit team members and therefore donot perform audit
functions. They may not influence or interfere with the audit.
Observers can represent auditee organizations,regulators, or
any other interested party.

According to ISO Guide 73, risk is the
“effect of uncertainty onobjectives” and an effect
is a positive or negative deviation fromwhat is expected. So,
risk is the chance that there will be a positiveor negative
deviation from the objective you hope to achieve.

Technical experts support audit teams
by providing specificexpertise or knowledge about the
organization, process, or activity being audited or about the
auditee's language or culture. They do not act as auditors.

The above definitions are based on ISO 19011
2011, section 3, Terms and definitions. We've translated these
definitions into Plain English in order to
make them easier to understand.

Legal
Restrictions on the Use of this PageThank
you for visiting this page. You are, of course, welcome to view our
material as often as you wish, free of charge. And as long as you
keep intact
all copyright notices, you are also welcome to print or make one
copy of this
page for your own personal, noncommercial, home use. But, you are not
legally authorized to print or produce additional copies or to
copy and paste
any of our material onto another web site or to republish it in
any way.